Forum Discussion
Solved
Advanced Hunting Query Powershell Command Line
I was testing if I was able to detect various PowerShell Commands in the Advanced Hunting and this was the result: Via Windows Powershell CommandLine I executed: (Invoke-Webrequest -Uri "https:/...
You will need to enable Powershell script block logging via GPO to see the full commands that were run
this is because the actiontype is detected after the command successfully executed not while its being called.
Try the below, as a workaround, you might need to filter based on events , but power shell which has a invoke web request needs to be checked.
DeviceProcessEvents
| where FileName =~ "powershell.exe" or InitiatingProcessFileName =~"powershell.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "Invoke-Expression", "uri")
Try the below, as a workaround, you might need to filter based on events , but power shell which has a invoke web request needs to be checked.
DeviceProcessEvents
| where FileName =~ "powershell.exe" or InitiatingProcessFileName =~"powershell.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "Invoke-Expression", "uri")
